Cryptocat vulnerability excuse sparks debate over open source

In patching its open-source chat application, Cryptocat implied such software is less secure than proprietary products, spurring an open source versus commercial application debate among security experts.

Cryptocat makes a snooping-resistant instant messaging (IM) application that runs inside a Web browser. The open-source project apologized last week for a now-fixed bug that made it too easy for an attacker to decrypt and read conversations.Ã'Â

The vulnerability, found by researcher Steve Thomas, is serious because the software is used by activists trying to avoid government eavesdropping, journalists having sensitive conversations with sources and lawyers seeking privacy while talking to clients.

In a blog post, Cryptocat took full responsibility for the flaw and added, "We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security."

The comment baffled Paul Royal, associate director of the Georgia Tech Information Security Center. "He could have generalized the statement to: 'This is the process of software security -- period,'" Royal said on Monday. "I don't quite understand why open source makes it inherently risky, like somehow because software is proprietary a developer will not make a mistake."

However, other experts disagreed, saying that because open-source software is developed by an unpaid group of engineers, there are going to be security lapses.

"Since open source software isn't owned by anyone, there are no dedicated software maintenance people and enhancements are made by whoever can and wants them," said Murray Jennex, associate professor for computer security at San Diego State University.

Dan Olds, an analyst for Gabriel Consulting Group, agreed, saying developers paid to build software have more at stake in getting it right.

"The key difference is that commercial developers depend on the quality of their product to pay their mortgages and feed their families," Olds said. "I would argue that this forces commercial developers to pay more attention to bugs and to do more rigorous testing."

In addition, companies can be held liable for software left insecure due to negligence, Olds said.

Morgan Davis, a senior trainer and engineer at Security Innovation, said it's not fair toÃ'Â blame open-source security."The failures of Cryptocat are not failures of open-source versus closed-source development, but rather a failure in the secure development process," Davis said.

"They failed to execute effective security practices in requirements, design, [and] implementation and throughout the rest of the development process," he said.

[Also see:Ã'Â Open Source -- Is it inherently more secure than proprietary software?]

Cryptocat published a threat model for its namesake software that is "rudimentary at best, and never identifies cryptography as being a potential weak point," Davis said.

"Consequently, they -- through their crypto-ignorance -- implemented a terrible series of crypto-blunders," he said.

A major difference between proprietary and open-source software is the latter's source code is available to everyone, including hackers. While that means less skill is need to find vulnerabilities, there is no shortage of experienced developers who can do the binary reverse engineering needed to find as many flaws in proprietary applications, Royal said.

"The primary difference will be in the level of skill at which a person can reverse engineer to discover that vulnerability," he said.

Commercial vendors will place protective layers over their code to prevent the theft of their intellectual property, Royal said. But that has not stopped hackers from exploiting a steady stream of vulnerabilities in Microsoft Windows and Adobe Flash, examples of popular applications often targeted by cybercriminals.

Therefore, the ubiquity of the software is what dictates the risk, Royal said. The more popular it is among consumers and businesses, the more likely criminals will look for flaws and develop malware to exploit them.

"In general, software used by many people is going to be targeted," he said.

While that may be true, a hacker is still likely to find open source software easier to crack, said Murray. "I never recommend anyone use open source software for critical applications unless you are going to maintain it yourself and, of course, inspect it and keep it safe," he said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Application Securityopen source securityapplication securityCryptocatAccess control and authenticationsoftwaredata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts